Hola’s VPN service could see your IP address matched to illegal activity, if it’s used as an exit node.

The terms and conditions of the Hola service have recently been thrown into sharp focus following a spam attack on popular image board 8chan.

According to 8chan founder Frederick Brennan, the attack used Hola’s premium Luminati service to post multiple spam messages on the site.

Brennan explained how Hola works in a nutshell on a standalone 8chan post: “When a user installs Hola, he becomes a VPN endpoint, and other users of the Hola network may exit through his internet connection and take on his IP.

“This is what makes it free: Hola does not pay for the bandwidth that its VPN uses at all, and there is no user opt out for this.”

The free VPN service, available as a browser extension for Firefox and Chrome and an Android app, easily lets you mask your true location and make it appear as if you’re accessing the web from Salisbury, MD in the US of A instead of Salisbury, Wiltshire in the UK.

While this is great for watching shows that rights owners would rather you didn’t see, there’s a sting in the tail. Or to be precise, a sting in the exit node.

For those who don’t know, a node is basically a location on a network which receives traffic and passes it on, using its own identifying credentials. The system has worked well for services like the open-source Tor Project, which lets users across the world access material which their governments deem objectionable – as users can access sites through someone else’s connection.

One different between the Tor onion router and Hola is that you don’t get to choose whether or not you set yourself up as an exit node.

The premium Luminati service uses the connections of free Hola users as exit nodes – meaning your IP address could be potentially matched to the activities of someone else.

Those who were using Hola to do nothing naughtier than perhaps watching content on Netflix that they couldn’t get at home could have been enabling less savoury types; drug dealers, terrorists and peddlers of child sex abuse imagery.

After the issue gained some airtime on Reddit, Hola’s staff speedily updated the company’s T’s and C’s, inserting some vague blurb pertaining to the fact that users were being treated as a commodity, and did their best to attenuate the noise being made by a large group of the service’s 9 million-odd user base who, rightly, felt aggrieved by the company’s backhanded business practices.

The co-founder of the Israeli company, Ofer Vilenski, has jumped to the defence of his company though, telling Vice’s tech channel Motherboard: “We can provide [Hola] for free since each user is also an exit node for other users,” and he went on to state that Hola users were made aware of the issue in advance – though archived versions of the company’s website would appear to contradict the assertion.

Vilenski added that the Luminati service was heavily policed and that Bui’s account has now been suspended. Motherboard’s Lorenzo Franceschi-Bicchierai quotes an unnamed Luminati sales rep telling a security researcher: “we simply offer you a proxy platform, what you do with it, is up to you,” and “we have no idea what you are doing on our platform.”